author | Rich Burridge <rich.burridge@oracle.com> |
Fri, 14 Jun 2013 16:37:38 -0700 | |
changeset 1345 | ee87318d9935 |
child 2198 | 168b8acace5f |
permissions | -rw-r--r-- |
1345
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
Provide the directory where snort will initially look for DAQ modules. |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
This patch has not been sent upstream, because the Solaris integration |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
of libdaq is different from the way that Linux systems do this. |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
On Linux systems, DAQ installs two static libraries: |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
/usr/lib/libdaq_static.a |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
/usr/lib/libdaq_static_modules.a |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
When snort is being configured, you see: |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
... |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
checking for daq_load_modules in -ldaq_static... yes |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
... |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
and at link time we see "-ldaq_static ... -ldaq_static_modules ...". |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
This means that when you start snort running, it knows where to |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
look for a set of DAQ modules that it loads. This is done with |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
with a call to the DAQ routine daq_load_modules(). |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
On Solaris, we do not provide those two static libraries (or their 64-bit |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
equivalents). Therefore, by default, a call to daq_load_modules() using |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
the dynamic libraries doesn't know where to look for any DAQ modules. |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
Now you can override this by starting snort with: |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
$ sudo /usr/bin/snort --daq-dir /usr/lib/64/daq |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
or |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
$ sudo /usr/bin/snort -c /etc/snort.conf |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
34 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
35 |
or something similar, but that doesn't allow: |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
36 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
37 |
$ sudo /usr/bin/snort |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
38 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
39 |
to work, right out of the box, which is what snort users would expect. |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
40 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
41 |
To resolve this, at snort initialization time on Solaris, the code has |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
42 |
been adjusted to specify a single default DAQ module directory: |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
43 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
44 |
/usr/lib/64/daq |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
45 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
46 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
47 |
--- snort-2.9.2/src/snort.c.orig 2013-05-15 11:52:06.640833897 -0700 |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
48 |
+++ snort-2.9.2/src/snort.c 2013-05-15 11:58:03.040482526 -0700 |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
49 |
@@ -3677,6 +3677,9 @@ |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
50 |
{ |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
51 |
SnortConfig *sc = (SnortConfig *)SnortAlloc(sizeof(SnortConfig)); |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
52 |
|
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
53 |
+ /* Define where to look for DAQ modules. */ |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
54 |
+ ConfigDaqDir(sc, "/usr/lib/64/daq"); |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
55 |
+ |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
56 |
sc->pkt_cnt = -1; |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
57 |
sc->pkt_snaplen = -1; |
ee87318d9935
PSARC 2013/113 snort 2.9.2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
58 |
/*user_id and group_id should be initialized to -1 by default, because |